[Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp]

Bill Stewart bill.stewart at pobox.com
Mon Nov 24 16:15:32 PST 2003 

At 04:20 PM 11/21/2003 -0800, Hallam-Baker, Phillip wrote:
>We need to consider the technical workings of the do-not-spam list and the
>requirements that we would like the FTC to meet.

... [reasonable goals] ...  [hashed-form lists instead of plaintext]...
>5) Allow domain name owners to list their domains.
>6) Provide for authentication of listing requests

Especially for domains, it's important to do some validation,
though in the absence of widely-deployed DNSSEC, it's hard to do automatically.
Perhaps 3-way-handshake email to postmaster at example.com or
the whois administrative contact address.
(This also has the side-effect of requiring people to actually use their
postmaster addresses, at least for fifteen minutes or so :-)

And while hashing has the obvious risk of dictionary attacks,
it'll at least cut back on some of the abuses,
especially if the list is dynamic and the spamware vendors who
do the dictionary attacks want to charge lots of money for it.
Also, the scale's a lot more annoying searching a million obvious names
on each of 20 million domains with a hash that takes a second per hit,
though Moore's Law will obviously erode the hash time.
Obviously spammers will target popular mail systems first.

However, there are two special email address forms that complicate this a bit
- tagged addresses - username+tag at example.com
         There are several different syntaxes for this - plusses, dashes, etc.,
         and either you just ignore the problem
         (let the user register  however many tagged addresses they want),
         or else you special-case the rules so that bulk-emailers
         who want to send mail to a plus-tagged address also must
         check the untagged version.
- per-user subdomains - anything at username.example.com
         Technically this is no different than any other per-domain blocking,
         but administratively it's different, because there's no whois record
         and there might not be a postmaster address.

There's a scalability problem that has to be solved,
which is how to prevent a DOS-by-signing-up-too-many-addresses attack.
An example would be a Turing test image on a web page
(which has the downside of preventing automated signups,
as well as annoying blind people), or else requiring a
hashcash puzzle that takes ten times as long as the list's hash function.

More information about the cypherpunks-legacy mailing list